Installing the ERM module for device management

This describes how to use the ERM Installer to install the ERM module for device management.

As a prerequisite you must have already deployed an ERM virtual machine, and set up the ERM Installer.

To get started, use your browser to go the URL of the ERM Installer. The ERM Installer start screen shows all the products that you have access to via your license key. Currently this is limited to just the ERM module.

On first use you need to Configure the module, and if you later return to the page you can view the current Details of the module, such as the software version number and also review any warnings that might exist, such as with its certificates, and make changes to the primary configuration.

This topic covers:

Installation settings

The installation settings are a combination of required and optional settings.


In this section you specify the Hostname / FQDN of the product and select the SSL certificate to use.

See ERM certificate management for information about generating and uploading certificates.


The locale settings let you specify the default language (currently English or Swedish) and which timezone to use.

ERM uses the language setting in the web browser for the user interface, if that language is available. Otherwise it uses the nominated default language instead.

Other settings

The other settings let you specify the port on which to listen for proxy clients and the LDAP based phonebook service, and allow you to disable the proxyVM or Incoming LDAP phonebook services.

LDAP authentication settings

You can optionally use an external LDAP / Active Directory database to authenticate users accessing ERM.


The ERM LDAP configuration includes the following elements:

  • Access to a service account with read access to the Organizational Units (OUs) used to find user and security group objects.
  • A base Distinguished Name (DN) path to provide the starting point for the LDAP search query.
  • An LDAP user filter to provide a way to match users within the base DN path who should be provided access to the ERM interface.
  • Security groups that can be used to provide permissions for two of the three types of ERM users (Admins and Superusers) and are defined using their LDAP Distinguished Names (DNs).

Three types of users can be granted access to ERM via LDAP with different permissions:

  • Support: these users provide day-to-day ERM support and operations. They can add, remove and configure systems, schedule conferences, monitor call operations and statistics, perform firmware upgrades to the endpoints, etc.

    By default, users are granted this permission by simply existing within the defined base DN.

  • Admins: these users have all the permissions of Support personnel plus additional permission to configure the ERM core application settings (such as setting base provisioning details and default endpoint passwords), plus the ability to check on proxy clients' connection statuses.

    By default, users are granted this permission through a specific Security Group.

  • Superusers: These users have all the permissions of Admins plus the ability to manage the ERM backend system.

    By default, users are granted this permission through a specific Security Group.


You can configure the following settings:

Setting Description
Server The address of the LDAP server. To override the default port from 389/636 you can specify the address and port number in the format
Service account DN/username The distinguished name (DN) or username of the service account, for example CN=Svc_Pexip,OU=ServiceAccounts,DC=example,DC=org or
Password The password for the service account / username. Use dash "-" to set an empty password.
Use LDAPS-connection Select this option to use a secure connection. TLS may be used both with and without an LDAPS connection.
Ignore TLS/SSL verification errors Select this option if you want to ignore TLS/SSL verification errors.
Base dn Specify where in the tree the initial search for results should begin.
User filter

You can define how users are filtered out and displayed.

The default user filter allows any user object within the base DN path access to the ERM interface with a minimum of ERM support permissions. While you can control access to the ERM interface at the network level, it is generally considered good practice to ensure access permissions are only granted to users that require them. The default LDAP user filter may not, therefore, suit all enterprises. Please see the example below as to how you could provide more granular access.

Admin group DN Specify which group in the tree has access to admin rights in the system (which enables additional settings and functions for the logged in user).
Superuser group DN Specify which group in the tree has access to superuser status. Use this with caution as these users have full control over the system and should only be assigned to users with high technical knowledge.
Customer attribute Enter attributes for the customer’s shared key in multi-tenant installations.
Enable local accounts

Controls whether to allow login access to users in the local user database:

Yes: if the LDAP connection fails or is misconfigured then only local users that were manually added can log in.

No: if the LDAP connection fails or is misconfigured then nobody, including "pexip_fallback", can log in. Administrators can use the ERM Installer to test and reconfigure the connection.

Unknown: please ignore this option.

Note that local users are managed by Superusers through Backend admin settings.

Read only Select this option if you want to disable access to functions such as changing passwords, emails or other user information.
Remove optional setting Select this option to remove this LDAP configuration i.e. to revert to local account access only.

The ERM Installer has tools to test your LDAP or AD settings to make it easier for you to troubleshoot and get started — see ERM troubleshooting tools for details.

We have also provided a worked example below to help explain how to use the settings in your environment.

Separate domain name for video conference system requests

This is an optional set of configuration for a separate domain name for video conference system requests. Enter the hostname and any settings for the certificates to be used.

Initial deployment

After you have gone through and filled in the necessary settings during the configuration and clicked on Configure, you are redirected to the step to deploy your ERM installation.

Start by selecting which version of ERM to install in the drop-down list to the right then click on Deploy changes to start the installation. You can now follow the installation process in a terminal that appears under the deploy button. When the installation is complete, you may reload the page and then you should see the correct version displayed for ERM.

The next step is to complete the onboarding wizard as described below.

Onboarding wizard

Open a web browser and go to the hostname that you entered for the installation. Note that the hostname you selected for your installation must be a valid record in your DNS.

You are met by the ERM onboarding wizard which takes you through the following configuration steps.


Enter a name and click continue. This is used as the default organization for your ERM installation.

Add Pexip cluster

The next step is to set up a Pexip video cluster. Start by filling in a description for the cluster followed by choosing Pexip Infinity and specifying the SIP address to use for the cluster.

Note that you can subsequently update the cluster configuration via Backend admin > Clusters (requires superuser permissions).

Adding a Pexip cluster and a Pexip Infinity Management Node only applies to self-hosted Pexip Infinity customers. Please skip this step if you are a Pexip Service customer.

Pexip Infinity Management Node

Add the details of your Pexip Infinity Management Node to your cluster:

Option Description
Description A short description for the Management Node.
IP address The IP address for the node.
Ev. separate IP/host for API calls Choose if you want network separation for all API calls, so that traffic goes through a separate hostname if, for example, you want to add firewall rules.
DNS Name The DNS name of the Management Node.
Username and password The username and password that ERM needs to use to connect to the Management Node.
Prepare event sink and external policy

These options are currently unused and should not be configured.

Note that you can subsequently update the Management Node configuration via Backend admin > Meeting platforms (requires superuser permissions).

Choose password

Here you may enter a password for the fallback user "pexip_fallback". We recommend that you set a password so you always have a fallback user for recovering the platform. You may skip this step, but you will then have to use one of your LDAP users for future access.

If the password for the fallback user is non-existent or forgotten, and the LDAP integration is down, password recovery is only available via the virtual machine. In this case please contact support for further assistance. A password recovery in this way is a time-consuming process and that is why we always recommend setting a password for the fallback user which you then store in a safe place.

Note that you can subsequently update the fallback user via Backend admin > Users (requires superuser permissions).

All done!

After completing the onboarding wizard you are now ready to start managing all your video conferencing systems.

Note that the onboarding wizard settings can be updated via the Backend admin options (requires superuser permissions).

Updating settings after deployment

After the installation of ERM is complete, you still have the option to change settings. To do this:

  1. Select the installation you want to change from the ERM Installer start screen.
  2. Click on Configure for the product whose settings you want to change.
  3. When you have made your changes, click Save. This takes you back to the deployment of the product.
  4. Click on Deploy changes to apply the new settings to your installation.

    The module's services will be unavailable for a short period as the changes are applied, and the services restart.

After the installation process is complete you may now reload the page and your update is completed.

Online versus offline mode

If the primary ERM VM runs in online mode with direct access to the license activation services then the Deploy changes button completes the process.

If the primary ERM VM is used offline, then an offline bundle must be prepared from the online ERM VM:

  1. On the online VM, go to Installation > Installed Product > Details and select Export offline bundle to prepare the module image.

    The offline file can be large and take several minutes to prepare. Please be patient and do not navigate away from the page.

  2. Transfer the exported file using your preferred method (for example, a USB stick) to the second offline (air-gapped) VM.
  3. Using the Installer on the second VM, go to Settings > Handle offline bundle and Import the file that was just exported.

For full details about offline bundles, see Installing and upgrading ERM in an offline environment.

Example LDAP usage

Here is a worked example of LDAP usage that you can use as a guide and adapt for your own organization.